How private is your PC data? Thanks to the proliferation of Internet worms and hardware and
software spying tools, the erosion of loyalty between corporations and their employees, and the
9/11 disaster (which has caused many to value security over privacy and civil rights), the
likelihood is greater than ever that your computer is reporting your every move to a suspicious
spouse, a government agency, an employer, or the entire world. In this article, we'll cover the
most prevalent spying hardware and software and explain how it can be used, abused, and
detected.
A hardware key logger is a device that captures keystrokes en route from keyboard to PC.
KeyGhost (www.keyghost.com), a New Zealand company, offers two hardware key loggers. The first is
an inconspicuous cable that runs from the keyboard to the PC (prices start at $139 and go up to
$409 direct). The second is a keyboard with the logging hardware tucked entirely inside the case
($189 and up). The company claims to have a wide variety of bugged keyboards ready-made to match
many brands of computers. If your existing keyboard is unique, KeyGhost will modify it and return
it with the logger hidden inside. Both the internal and external versions have maximum capacities
of about 2MB—enough memory to capture as much as a year's worth of typing. The Spy Store
(www.thespystore.com/pcsurveillance.htm) shows a more compact external key logger ($139 direct).
It has a smaller memory capacity, but its capabilities are otherwise similar.
Hardware key loggers usually can't be detected by software and may be tough for non-technical
users to spot. They're also compatible with most operating systems and don't require complicated
installations. The main drawback is that they can't capture the information that appears on the
screen but isn't typed in by the user. So hardware devices are best used to sniff out small but
vital pieces of information, such as passwords.
Although keystroke-logging hardware is relatively new, software that performs the same
function is not. In 1988, I implemented a primitive network keystroke logger as a DOS TSR, using
the NetBIOS protocol. My motivation at the time was not to spy but to ensure that my programming
work was preserved on another machine in the event of a system crash.
But today's spying programs do much more than log keystrokes. Spying software can be selective
about the data it captures; administrators can set the software to skim information and then
capture more data when certain criteria are met. WinWhatWhere Investigator
(www.winwhatwhere.com), a major product in the monitoring market, captures keystrokes, e-mails
information about your activities when key phrases are entered, and even renames itself and
changes its location at random. If the victim's machine has a Webcam connected, WinWhatWhere
snaps pictures periodically and sends them out surreptitiously.
SpectorSoft (www.spectorsoft.com) makes Spector Pro, which captures screen shots, records e-
mail and chat sessions, and logs keystrokes. In short, if something of interest to you happens on
a user's machine, you will not only know what the person typed, you'll have logs of e-mail and
chat room conversations and pictures of the screen. Competing products such as D.I.R.T., from
Codex Data Systems' (www.codexdatasystems.com/menu.html), offer similar features. And several
keystroke logger programs are freely available for download from many shareware archives. Logging
software is easier to detect via system diagnostic tools, however, and may be wiped off the hard
drive by reconfiguring or reinstalling the operating system.
In some cases, spying software may be installed as a virus, worm, or Trojan horse that arrives
via e-mail or an infected file. BackOrifice, a program created by a group of rogue hackers called
The Cult of the Dead Cow, can be installed in this way and can spy on and even commandeer the
victim's system. Several recent worms, including Badtrans.B, attempt to capture passwords and
credit card information from users' systems and forward the information to the worms' creators
via e-mail or Internet relay chat (IRC).
Another spying technique uses a network sniffer (usually a computer running special software)
installed on the same LAN as the victim's computer or upstream between the victim's computer and
the Internet. The sniffer taps and records the raw data flowing between the victim and other
machines; this data can be scanned later.
Only a few Internet protocols use encryption. E-mail is most often sent and retrieved as plain
text, and the password needed to break into someone's electronic mailbox is very rarely
encrypted. If encryption is used, a key logger can often be used to discover the password that
unlocks the data.
The FBI's Carnivore system, which is installed at ISP facilities to collect evidence, is one
example of a network sniffer. Civilian tools that can sniff LAN traffic—even on networks
supposedly protected from monitoring by network switches—are widely available for free via the
Internet.
Even if the party who wants to spy on you has no physical access to your network, you cannot
necessarily rest easy. A cracker who manages to gain control of any vulnerable system on your
network can set it up to sniff traffic from the rest of the network. And recently revealed bugs
in most implementations of SNMP (Simple Network Management Protocol) may provide an easy way for
intruders to take over managed hubs and switches, routers, print servers, and network appliances.
(For more on these bugs, see the CERT advisory.)
Posts
No comments:
Post a Comment